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(54) User selector proxy, metliod and system for authentication, authorization and accounting 

(57) The basic problem addressed by the present 
invention is the free disposition of users, wilhoul restric- 
tions on users identifiers, among a plurality of AAA-serv- 
ers within an ISP nelwork for allowing AAA-servlce net- 
work scalability and for hiding the AAA-servlce network 
configuration to external AAA-clients. The present in- 
vention solves the problem discussed above by placing 
a User Selector Proxy as entry point to the AAA-service 
network within an ISP network, the User Selector Proxy 
responsible for determining an AAA-sen/er in charge of 
the user and able to direct AAA-servlce requests to the 
appropriate AAA-server. 
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Description 

FIELD OF THE INVENTION 

[0001] The present invention generally relates to a tel- 
ecommunication network coupled to a serving network 
of an Internet Service Provider (ISP) for carrying out tine 
authentication, authorization and accounting of remote- 
access users. IVIore particularly, the invention pertains 
to means, system and method for enabling networks of 
the above type to determine the appropriate Authenti- 
cation, Authorization and Accounting server (hereinafter 
refen'sd to as an AAA-server) in charge of a user having 
issued a service request. 

BACKGROUND 

[0002] The access to Internet services is nowadays 
given by an iSP. In the most general scenario, different 
operators manage the ISP network and the access net- 
work. Both networks are thus considered separate net- 
works. The ISP performs authentication, authorisation 
and accounting checks on users accessing its services 
via an access network, in particular, these users are 
subscribers of a telecommunication network acting as 
an access network to the ISP network. 
[0003] Thus, when a user of a telecommunication net- 
work wishes to connect with a certain server that be- 
longs to an ISP, a service request is sent from the user 
to said ISP server via a Network Access Server (NAS), 
which belongs to the telecommunication network. Nev- 
ertheless, said user must be previously authenticated 
and said service requesl musl be previously authorized 
by an entity such as an Authentication, Authorization 
and Accounting server (AAA-server). To this end, when 
the user sends a service requesttoward the NAS he also 
enters a user identifier and a password for his own iden- 
tification. This information is senttowardthe AAA-server 
using a communication protocol such as the Remote 
Authentication Dial in User Service (generally known as 
RADIUS), or the RADIUS upgrading known as DIAME- 
TER protocol, or the like. 

[0004] The Internet Engineering Task Force (IETF) 
definesthe RADIUS protocol in RFC 2865. Likewise, the 
DIAMETER protocol is defined in "draft-ietf-aaa-diame- 
ter-08.txt" which is also driven by IETF. The basic con- 
cept behind DIAMETER is to provide a base protocol 
that can be extended in order to provide AAA-services 
for new access-related technologies. Both RADIUS and 
DIAMETER specifications describe protocols suitable 
for carrying out the authentication and authorization as 
well as for collecting the accounting information be- 
tween the NAS and the AAA-server where the NAS de- 
sires to authenticate its links. 

[0005] Provided that the protocol used is RADIUS, 
when a NAS operating as a client of a RADIUS AAA- 
server receives an Incoming service request, said NAS 
obtains identification information from the user, namely 
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a Name and a Password, and then issues an authenti- 
cation request to the RADIUS AAA-server The RADIUS 
AAA-server, upon receiving the identification informa- 
tion and other NAS information, authenticates the user. 

s That is, depending on who the user Is, he is authorized 
to have access to different services and possibilities. 
The RADIUS attributes carry the specific authentication 
and authorization data as well as information and con- 
figuration details for the request and reply packets. 

to [0006] For instance, attributes that can be carried in 
these packets are the User-Name, User-Password, and 
others, in particular, the attribute User-Name indicates 
the name of the user to be authenticated. The format of 
this User-Name in the RADIUS protocol may be one of 

15 several forms: 

Text, aform consisting only of UTF-8 encoded char- 
acters 

20 - Network Access Identifier (NAI), namely user- 
name@realm, as described in RFC 2486 

Distinguished Name (DN), which is a name in ASN. 
1 form used in Public Key authentication systems 

25 

[0007] On the other hand, when DIAMETER is the 
protocol used, the procedure is similar to the previous 
case. A NAS acting as a client of a DIAMETER AAA- 
server initiates a request for authentication and/or au- 

30 thorization of a given user towards said DIAMETER 
AAA-server The DIAMETER AAA-server, upon receiv- 
ing the identification information and other NAS infor- 
mation, authenticates the user. That is, depending on 
who the user is, he is authorized to have access to dif- 

35 ferent services and possibilities. 

[0008] Any data transferred by the DIAMETER proto- 
col is In the form of an Attribute Value Pear (hereinafter 
AVP). Said AVP is used by the base DIAMETER proto- 
col, among other things, for transporting the user au- 

40 thentication information towards the DIAMETER AAA- 
server. The user name Is provided in the User-Name 
AVP, which allows an NAI format, or in a UTF-8 format 
consistent with the NAI specification. 
[0009] A typical scenario of a telecommunication net- 

45 work coupled to an ISP for providing Internet services 
is the provision of Internet access in a General Packet 
Radio Service (GPRS) network. In this scenario, a Gate- 
way GPRS Support Node (hereinafter GGSN) may in- 
ter-work with an AAA-server typically using RADIUS 

50 protocol. Thus, a GGSN acts as a client of a RADIUS 
AAA-server 

[0010] Another scenario is a Wireless Local Area Net- 
work (WLAN) accessing Internet through a WLAN Ac- 
cess Point connected to an AAA-server by means of Di- 
ss AMETER or RADIUS protocols. Thus, a WLAN Access 
Point may respectively act as a client of a DIAMETER 
AAA-server, or as a client of a RADIUS AAA-server. 
[0011] Nowadays, the ISPs store user information for 
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all Its users In large backend databases, namely AAA- 
servers, which the AAA-cllent may access to. In scenar- 
ios where the number of users is very high, this solution 
Is not easily scalable as the size of the databases and 
the number of queries per second necessarily decrease 
the networl< performance. In particular, provided that 
each ISP has organized its users in a unique large AAA- 
server, a direct relation between said AAA-server and 
the requester AAA-ciient must be maintained during the 
complete session what, in the case of accounting relat- 
ed transactions, may penalize the expected AAA-server 
performance. 

[0012] An Immediate solution for an ISP having a very 
high number of users may be that the ISP needs more 
than one AAA-server to organize its user Information. A 
first disadvantage of this multiple AAA-server frame is 
that the security relations between the AAA-cllent and 
the different AAA-server become more complicated. A 
second disadvantage Is that the ISP network structure 
becomes more visible to the AAA-ciient, which may be 
a NAS operated by another operator, and thus produces 
network configuration dependencies between the ISP 
and the operator of the telecommunication network. 
[0013] Independently of the disadvantages above, 
the AAA-cllents requesting service from an ISP having 
a plurality of AAA-servers need to know what AAA-serv- 
er should be contacted for a particular service request 
of a certain user, in the absence of other criteria, an 
AAA-ciient might perform sequential queries to those 
AAA-servers of a coupled ISP until finding the appropri- 
ate AAA-server in charge of a certain user. 
[0014] Better performances than for sequential que- 
ries may be achieved by interposing an AAA-proxy be- 
tween the AAA-ciient and an ISP network having a plu- 
rality of AAA-servers. Such AAA-proxy Is typically able 
to differentiate between AAA-servers on a per domain 
basis. Thus, by making use of user Identifiers In a NAI 
format or likewise, namely username® realm, an ISP 
may dispose Its users amongst different AAA-servers 
on a per realm basis. The AAA-proxy above Is then able 
to determine the specific AAA-server in charge of all us- 
ers In a specific domain, namely the domain addressed 
by the realm shared by such users, 
[001 5] Currently, there is no other criterion for dispos- 
ing users amongst AAA-servers in an ISP network. In 
this respect, just the well-known and structured realm In 
a NAI format above, for example "acme.com", may be 
used to unambiguously determine a unique AAA-server 
responsible for a certain domain In an ISP network. 
[0016] However, there are User-Name formats other 
than NAI, or not consistently structured, or even unstruc- 
tured, for which such an AAA-proxy Is not able to distin- 
guish among a plurality of AAA-servers and this is a ma- 
jor drawback for the ISPs. For instance, an AAA-proxy 
receiving service requests from a GGSN acting as a 
NAS of a GPRS network, the GGSN making use of the 
iVIobiie Subscriber ISDN number (MSISDN) as user 
identifier, is not able to select one of a plurality of AAA- 
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servers for this sort of user identifier. 
[0017] Moreover, and even for User-Names in NAI 
formats, said AAA-proxy is not able to distinguish more 
than one AAA-server for the same domain. That is, all 
s the users given the same realm in a NAI format must be 
located In the same AAA-server in a certain ISP net- 
work. This unique disposition of all users with the same 
domain or realm in the same AAA-server is still consid- 
ered a drawback for the ISPs, since more complicated 
10 mechanisms for load balancing between AAA-servers 
of different capacity should be introduced. 
[0018] Afurtherdrawback, where User-Nameformats 
do not Include a realm or domain identifier, is that the 
Inclusion of the aforementioned AAA-proxy as such 
15 does not solve the identification of a unique AAA-server 
in charge of a certain user in an ISP network having a 
plurality of AAA-servers. In this respect, operators of a 
telecommunication network, where subscriber identifi- 
ers do not include a realm or domain identifier, might 
20 see this AAA-proxy as a superfluous entity penalizing 
the AAA-service performance. However, the introduc- 
tion of this AAA-proxy may overcome, or at least mini- 
mizes the two aforementioned disadvantages, security 
relations and visibility of ISP network structure, espe- 
25 dally when the AAA-proxy belongs to the ISP network. 
In this particular case, the inclusion of such an AAA- 
proxy benefits the ISP interest whereas penalizes oper- 
ators of telecommunication networks of this type above. 
[0019] Thereby, it is a first object of the present inven- 
30 tion to provide the means and methods for disposing us- 
ers of AAA-services amongst a plurality of AAA-servers 
independently from user identifier schemes, structures 
and applicable service, 

[0020] It is a further object of the present invention to 
35 make compatible the first object above with the inclusion 
of an upgraded AAA-proxy in order to solve said first 
and second disadvantages above, those related to se- 
curity relations and visibility of ISP network structure. 
Said upgraded AAA-proxy being able to select the ap- 
40 propriate AAA-server in charge of a given user inde- 
pendently from user identifier schemes, structures and 
applicable service, thus accomplishing the first object of 
the present Invention. 

45 RELATED ART 

[0021] An interesting start point is found in typical 
wireless systems of 2"^ generation like GSIVI and ANSI- 
41 networks. As said wireless systems were getting 

50 more and more subscribers, the operators wanted high 
dimensioned subscriber databases like the Home Loca- 
tion Register (HLR) in order to hold a huge amount of 
subscriptions, minimising the O&M activities, and opti- 
mising the routing tables In the Signalling System 

55 number 7 (SS7) network. The more recent appearance 
of Number Portability requirements, in some cases by 
law regulation, where individual subscribers were 
moved from one HLR belonging to one operator to an- 
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other HLR belonging to another operator definitely 
made the needs for a database selector being a must. 
[0022] An exemplary description of such a database 
selector can be found in the international application 
WO 99/23838 wherein said database selector in a cer- 
tain networi< is referred to as Flexible Number Register 
(FNR). This FNR is the natural entry point in a wireless 
networl< of 2"'* generation for queries related to those 
subscribers whose user number series belong to said 
network independently of what network currently holds 
the subscriber subscription. That is, said FNR compris- 
es all the user number series addressing such network 
and also Individual user numbers for subscribers ported 
Into this network from another network. Besides, indi- 
vidual user numbers of home subscribers who had been 
ported to another network are specially marked and 
have a particular network Identifier to reach an entry 
node In the network where the subscriber currently 
holds his or her subscription. 

[0023] Subscriber related queries based on user 
numbers such IMSI or E.I 64 formats are addressed to 
the FNR in a network addressed by said IMSI or E.I 64 
format. These formats correspond to well-structured 
number series of a predefined length. Then, the FNR 
determines whether the query should be simply trans- 
ferred to the appropriate HLR within its own network for 
subscribers never ported or Imported from other net- 
works, or the query should be redirected to the appro- 
priate network where the subscriber has been exported. 
All the required routing and addressing mechanisms are 
carried out at lower signalling layers like at the Signalling 
Connection Control Part (SCCP) within SS7. 
[0024] Even though Ihis soiulion is considered a rel- 
evant prior art, it still presents serious limitations for a 
direct applicability to newer scenarios interconnecting 
traditional fixed and wireless telephony networks with 
Internet and Multimedia service networks In large tele- 
communication systems. For example, this FNR prior 
art just considers signalling, routing, and addressing in 
accordance with SS7 principles where subscriber or us- 
er identifiers are merely based on structured numbers. 
Moreover at least one of the identifiers associated to a 
subscriber must be structured in such a way that the 
analysis of such number unambiguously identifies the 
appropriate HLR. Still another limitation of this previous 
solution is that neither other newer identifier realms, nor 
protocol support other than SS7 related upper layers 
were considered during the development of these 2"^ 
generation wireless networks. Further, there Is nothing 
anticipated in this prior art in respect of service-dedicat- 
ed servers, such as those related to AAA-services, that 
must be addressed in response to queries based on cor- 
responding user identifiers. 

[0025] Thereby, the aforementioned objects of the 
present invention do not seem to be accomplished or 
anticipated by the teachings from the application above. 
In this respect, the provision of means and method for 
allowing a balanced disposition of users amongst a plu- 



rality of AAA-servers independently from user Identifier 
schemes, structures and applicable service is still an ob- 
ject of the present invention. Said means and method, 
compatible with the introduction of an AAA-proxy be- 
5 tween the AAA-client and an ISP having a plurality of 
AAA-servers for supporting said balanced disposition of 
users, is still another object of the present invention. 

SUMMARY OF THE INVENTION 

[0026] A User Selector Proxy (USP) Is provided for 
supporting a balanced disposition of users independent- 
ly from user identifier schemes, structures and applica- 
ble service while acting as a proxy, thus accomplishing 

15 the objects of the present invention. 

[0027] Therefore, this USP comprises means for re- 
ceiving Authentication, Authorization, and Accounting 
(AAA-) service requests from an AAA-client, means for 
extracting a user domain from a received user identifier, 

20 means for identifying the AAA-server in charge of the 
user domain in an Internet Service Provider (ISP) net- 
work, means for submitting the AAA-service request to 
an AAA-server, means for receiving the corresponding 
AAA-service response from said AAA-server, and 

25 means for returning the AAA-service response to the 
AAA-client having issued the request. This USP in ac- 
cordance with the invention also comprises means for 
analyzing the received user identifier, In either a struc- 
tured or unstructured format and independently of iden- 

30 tifier schemes, In orderto determinewhetherall the user 
identifier fields, or a User-Name alone, or the user do- 
main alone, or a combination thereof is taken for selec- 
tion of an AAA-server in charge of Ihls user; and means 
for selecting an AAA-server in charge of said user in an 

35 Internet Service Provider (ISP) network. 

[0028] For the sake of efficiency, the User Selector 
Proxyfurthercomprises a storage on individual user ba- 
sis, or on group of users basis, or both, for storing at 
least one identifier for each at least one AAA-server in 

40 charge of a given individual user or group of users. In 
particular, this storage may be offered by an internal or 
external database comprising relationships between us- 
er identifiers and AAA-server identifiers on per user and/ 
or per group of user bases 

45 [0029] A further advantageous disposition of users 
may be achieved by having a User Selector Proxy 
adapted for replacing any of the user identifier fields, or 
any combination thereof, by new ones on an Individual 
user basis, or on group of users basis, or both, or on an 

50 AAA-server basis. To this end, relationships like above 
may further include new user Identifier fields, and the 
USP comprise replacing means for replacing said new 
user identifier fields. 

[0030] In addition, and for the sake of compatibility, 
55 the User Selector Proxy above is adapted for commu- 
nicating with an AAA-client with a protocol operating ac- 
cording to RADIUS or DIAMETER protocol specifica- 
tions. 
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[0031] Thus, this User Selector Proxy can be used as 
an Authentication, Authorization, and Accounting proxy 
(AAA-proxy) with which users identified by user identi- 
fiers in a non NAi format can also be disposed among 
a plurality of AAA-sen/ers. 

[0032] The invention aiso provides a method for pro- 
viding Authentication, Authorization, and Accounting 
(AAA-) services in a teiecommunication network cou- 
pled to an internet Service Provider (iSP). This method 
comprises the steps of receiving an AAA-service re- 
quest at an AAA-proxy from an AAA-client; extracting a 
user domain from a received user identifier included in 
the AAA-service request; Identifying at said AAA-proxy 
the AAA-server in charge of said user in said Internet 
Service Provider (ISP) network; submitting the AAA- 
service request from the AAA-proxy to said AAA-server; 
receiving the corresponding AAA-service response at 
the AAA-proxy from said AAA-server; and returning the 
AAA-service response from the AAA-proxy to the AAA- 
client having issued the request, in this respect, at least 
the communication between the AAA-proxy and the 
AAA-client is carried out with a protocol operating ac- 
cording to RADIUS or DIAIVIETER protocol specifica- 
tions. 

[0033] Further, the step of identifying at an AAA-proxy 
the AAA-server in charge of an indicated user comprises 
the steps of analyzing the received user identifier, in ei- 
ther a structured or unstructured format, to determine 
whether aii the user identifier fields, or a User-Name 
alone, or the user domain aione, or any combination 
thereof is tal<en for selection of an AAA-server In charge 
of this user; and selecting an AAA-server in charge of 
said user in an internet Service Provider (iSP) network. 
[0034] in orderto improve the efficiency of the method 
above, a previous step of storing at the AAA-proxy on 
individual user basis, or on group of users basis, or both, 
at least one identifier for each at least one AAA-server 
in charge of a given individual user or group of users. 
[0035] The method also comprises the advantageous 
step of replacing at the AAA-proxy any of the user iden- 
tifierfieids, or any combination thereof, by new ones on 
an individual user basis, or on group of users basis, or 
both, or on an AAA-server basis, 
[0036] The invention thus provides a system that 
comprises a telecommunications network coupled to an 
internet Service Provider (iSP) network via a Network 
Access Server (NAS), wherein the User Selector Proxy 
(USP) above, acting as an enhanced AAA-proxy, is the 
entry point to said ISP network, the NAS thus inter-work- 
ing with the USR 

BRIEF DESCRIPTION OF DRAWINGS 

[0037] The features, objects and advantages of the 
invention will become apparent by reading this descrip- 
tion in conjunction with the accompanying drawings, in 
which: 

[0038] FIG. 1 represents a partial view of current net- 



work architecture showing how a client requests to In- 
ternet Service Provider (iSP) networks for Authentica- 
tion, Authorization and Accounting (AAA-) service, 
wherein a first iSP network has an AAA-server per do- 

s main, and a second ISP does not distinguish domains. 
[0039] FIG. 2 represents a relevant partial view of a 
network architecture according to the invention where a 
client requests to ISP networks for AAA-servlces, both 
ISP networks having a plurality of AAA-servers for dis- 

10 posing users, and having a user selector proxy as entry 
point to each ISP network. 

[0040] FIG. 3 schematically shows an application of 
the user selector proxy Inter-working with an AAA-client 
and with a particular AAA-server by using RADIUS pro- 
's tocol. 

[0041] FIG. 4 basically shows a message flow for the 
establishment of security associations between an 
AAA-client and a user selector proxy, and between the 
user selector proxy and a particular AAA-server 
20 [0042] Fig. 5a shows an exemplary user disposition 
table storing relationships between users, group of us- 
ers and the at least one AAA-server in charge of each 
user or group of users. 

[0043] Fig. 5b shows, byway of contrast, the conven- 
es tional disposition of users on a per domain basis among 
several AAA-servers, each AAA-server in charge of a 
user domain. 

[0044] Fig. 6 illustrates an embodiment of a user se- 
lector proxy comprising routing means and protocol 
30 means separate from and co-operating with processing 
means. 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

35 

[0045] Commonly, an AAA-proxy is adapted for re- 
ceiving AAA-service requests from an AAA-client. The 
term AAA-client is a generic form whereas, in particular, 
a Network Access Server (NAS) for a telecommunica- 
te tion network accessing an Internet Service Provider 
(ISP) may be in fact an AAA-client. In accordance with 
Fig, 1 , a generic AAA-client (4) is coupled to a first and 
a second internet Service Providers (iSP-1 , ISP-2) for 
giving access to Internet network (6). Such an AAA-cll- 
45 ent (4) might be a NAS connected to a teiecommunica- 
tion network with different user Identifiers for different 
purposes. In this typical architecture, an ISP (ISP-1) 
handling user identifiers in the NAI form, with explicit in- 
dication of a realm or domain, may dispose its users 
50 amongst several AAA-servers (1 , 2), each AAA-server 
responsible for a particular domain. Such ISP (ISP-1) 
may also have an AAA-proxy (5) for determining which 
particular AAA-server (1 , 2) is in charge of a given sub- 
scriber at a domain for authentication, authorization and 
55 accounting services. On the other hand, an ISP (ISP-2) 
handling user identifiers in a format other than the NAi 
form, either structured or unstructured, cannot have any 
benefit from interposing such an AAA-proxy for access- 
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ingits uniqueAAA-server(3).ThatiswhytheAAA-proxy 
is typically Included In an ISP network where a plurality 
of AAA-servers exist, each AAA-server responsible for 
a certain domain, Instead of being part of the telecom- 
munication networl<, or part of an access network. More- 
over, such AAA-proxy (5) is thus able to hide the Internal 
ISP (iSP-1) topology to its co-operating AAA-clients. 
[0046] The following describes currently preferred 
embodiments of means, method and system for allow- 
ing a balanced disposition of users amongst a plurality 
of AAA-servers Independently from user Identifier 
schemes, structures and applicable service. In accord- 
ance with an aspect of the present Invention, a User Se- 
lector Proxy (hereinafter referred to as USP) is provided 
for acting as an upgraded AAA-proxy and thus receiving 
AAA-service requests from an AAA-cllent addressing an 
ISP having a plurality of AAA-servers In charge of bal- 
anced dispositions of users. 

[0047] As shown in Fig. 2, the Internet Service Pro- 
vider (ISP-1 , ISP-2) comprises a plurality of AAA-serv- 
ers (11, 12, 13, 21, 22, 23) such that they are addressed 
by a USP (1 0, 20) which Is In turn connected to an AAA- 
client (4). That is, each Internet Service Provider (ISP- 
1 ) (ISP-2) has its users disposed amongst a plurality of 
AAA-servers (11 , 12, 13) (21 , 22, 23) In Its own ISP net- 
work, thus being the USP of each ISP network respon- 
sible for analyzing the user Identifiers enclosed in the 
service requests received from the AAA-client (4). 
[0048] Therefore, the USP (10, 20) comprises 
processing means to analyse all the user identifier 
fields, or a User-Name alone, orthe user domain alone, 
or a combination thereof, in order to perform the routing 
of the AAA-service request received from an AAA-client 
toward a specific AAA-server in charge of the corre- 
sponding user. 

[0049] In addition to said processing means above, 
the USP Is also provided with an Internal Database 
structure or, more generally speaking, astorageforstor- 
Ing at least one Identif ierfor each at least one AAA-serv- 
er In charge of a given Individual user or group of users. 
This ensures that at least one AAA-server may be In 
charge of a particular subscriber or group of subscrib- 
ers. 

[0050] Moreover, in accordance with another aspect 
of the present invention, more than one AAA-server 
could be assigned to any particular user for redundancy 
or load sharing purposes what offer additional and un- 
expected advantages to classical ISP networks. One 
AAA-server among a plurality of possible AAA-servers 
might be selected, for example, depending on an avail- 
ability status, a load sharing status, an additional priority 
field, by sequential communications, or other selection 
criteria. 

[0051] Furthermore, In accordance with still another 
aspect of the present Invention, in case no particular 
AAA-sen/er may be determined for a user or group of 
users, the AAA-sen/ice request Is kindly discarded in or- 
der to preclude Denial Of Service (DOS) attacks. This 
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also offers unexpected advantageous protection to the 
ISP network. 

[0052] In this respect. Fig. 5a and Fig. 5b respectively 
show the logical relationship and other data that the 
s USP according to the Invention and a traditional AAA- 
proxy comprise. By way of contrast, a storage (51) in- 
cluded in the USP (10, 20) comprises relevant AAA- 
server data for at least one AAA-server in charge of spe- 
cific users or group of users, whereas a classical AAA- 
10 proxy merely stores (52) the AAA-server addresses on 
domain premises. Further, said storage (51) included in 
the USP also comprises modified attributes such as new 
realm, or new user-Name, or new user Identifier fields 
or combinations thereof for replacing the received ones. 
15 Such modification data do also applies per individual us- 
er as well as per group of users. 
[0053] More specifically, an embodiment of the 
present invention Is Illustrated in Fig. 5a wherein a pos- 
sible user disposition table (51) at a USP Is presented. 
20 The interested reader can appreciate in this table that 
different users from different domains (Realm. number) 
are present, some of them being grouped (Gr-number) 
whereas others remain on Individual basis. Where users 
of different domains are grouped, the at least one AAA- 
25 server In charge of all the users In a group Is thus marked 
on group basis rather than on Individual basis. On the 
other hand, users who are not grouped are Individually 
assigned at least one AAA-server in charge of each user 
on Individual basis. Moreover, each particular user may 
30 be given a new User-Name or a new Realm for replacing 
the received one before the AAA-service request being 
directed to the appropriate AAA-server, Furthermore, 
both users and groups can be given a new Realm for 
replacing the received one as well. 
35 [0054] This and other exemplary dispositions may be 
Instanced for allowing a balanced disposition of users 
among a plurality of AAA-server depending on different 
criteria under Internet Service Provider premises. Any- 
one of ordinary skill In this art Is expected to suggest 
40 other embodiments not substantially differing from the 
approach above and thus comprised under the scope 
of the present invention. 

[0055] The USP (10, 20) shown in Fig. 2 thus receives 
the traffic generated from the AAA-client (4) side and 
45 directs It toward the corresponding AAA-server (11, 12, 
13) (21 , 22, 23) active for the given subscriber and be- 
longing to the applicable Internet Service Provider (ISP- 
1) (ISP-2). 

[0056] Therefore, a particular USP (1 0, 20), as shown 
50 in Fig. 6, receives any AAA-service request from an 
AAA-cllentforan indicated userthrough protocol means 
(50). Then, processing means (53) extracts all relevant 
user identifier fields which are analysed in co-operation 
with the internal database storage (51) to determine 
55 firstly whether or not any particular user identifier field, 
or combinations thereof, must be replaced by given new 
user identiflerf lelds forthe Indicated user. And secondly, 
the processing means (53) likely In co-operation with 
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routing means (54) determine an address of a preferred 
at least one AAA-server in charge of the user, where the 
AAA-service request is directed. An interested reader 
can appreciate that the routing means may be included 
as a part of the processing means without substantially 
changing the expected technical behaviour. 
[0057] For example, in a telecommunication network 
like a GPRS network a Network Access Server (NAS) 
may be used for accessing an ISP network giving ac- 
cess the GPRS users to the Internet network. Such NAS 
acts then as an AAA-client issuing the AAA-service re- 
quests to a User Selector Proxy (USP) in accordance 
with the invention. The communication between the 
USP and the NAS may be carried out with a protocol 
like RADIUS or DIAIVIETER, for example, being a user 
identified by his or her MSISDN. 
[0058] The sequence diagram shown in Fig. 3 is an 
illustrative instance of the method for requesting an 
AAA-service where the protocol used is RADIUS. The 
NAS issues a RADIUS Access Request including the 
user identifier toward the User Selector Proxy. Such re- 
quest is ultimately handled by the processing means 
(53), which in this preferred embodiment comprises the 
protocol means (50) and the routing means (54) referred 
to as separate logical entities in Fig. 6. Said processing 
means (53) queries (S-31) an internal database (51) in 
the User Selector Proxy in order to obtain an address 
for directing the RADIUS Access Request to the appro- 
priate AAA-server in charge of this user. The internal 
database answers (S-32) to the processing means with 
such AAA-server address and, optionally, a new user 
identifier (User Identifier bis). Eventually, the processing 
means routes the received RADIUS Access Request 
with the applicable user identifiertoward said AAA-serv- 
er. 

[0059] Provided that an embodiment of the USP as 
illustrated in Fig. 6 is preferred for use in the preceding 
case, the RADIUS Access Request is received at the 
processing means via protocol means (50). Further, the 
address of an appropriate AAA-server, returned (8-32) 
from the internal database (51), is determined by the 
processing means likely in co-operation with routing 
means (54). Eventually, the RADIUS Access Request is 
directed from the processing means (53) via protocol 
means (50) to the AAA-server. 
[0060] It should be noted that the traffic flows between 
the AAA-client (4) and the User Selector Proxy (1 0, 20) 
are independent from the traffic flows between the User 
Selector Proxy (10, 20) and the AAA-servers (11, 12, 
13) (21, 22, 23). Consequently, the AAA-client (4) es- 
tablishes, if needed, security relations or security asso- 
ciations with the User Selector Proxy (1 0, 20) thus com- 
pletely hiding the existence of the AAA-servers (11 , 12, 
1 3) (21 , 22, 23) in a particular ISP network (ISP-1 , ISP- 
2) from a security association point of view. 
[0061] In this respect. Fig. 4 shows a security associ- 
ation establishment in accordance with an aspect of the 
invention. An AAA-client, which in particular might be a 
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Network Access Server (NAS) for accessing to or from 
a telecommunication network, issues a Security Asso- 
ciation request including a user identifiertoward the Us- 
er Selector Proxy. Such request is handled by the 

s processing means (53) that may comprise the protocol 
means (50), and the routing means (54) illustrated in 
Fig. 6, or may follow an alternative embodiment as ex- 
plained for Fig , 3 though not further depicted. Said AAA- 
proxy means queries (S-41) an internal database in the 

10 User Selector Proxy in order to obtain an address for 
directing the Security Association request to the appro- 
priate AAA-server in charge of this user. The internal 
database answers (S-42) to the AAA-proxy means with 
the AAA-server address, and the AAA-proxy routes the 

15 received Security Association request toward said AAA- 
server. 

[0062] The invention is described above in connection 
with various embodiments in a non-restrictive manner 
but merely illustrative. Those of ordinary skill in this art 
20 may modify these embodiments without substantially 
differing from the scope defined by the following claims. 



Claims 

25 

1. A User Selector Proxy, comprising means for re- 
ceiving Authentication, Authorization, and Account- 
ing (AAA-) service requests from an AAA-client, 
means for extracting a user domain from a received 

30 user identifier, means for identifying the AAA-server 
in charge of said user domain in an Internet Service 
Provider (ISP) network, means for submitting the 
AAA-service request to said AAA-server, means for 
receiving the corresponding AAA-service response 

35 from said AAA-server, and means for returning the 
AAA-service response to the AAA-ciient having is- 
sued the request, the User Selector Proxy charac- 
terized in tliat it also comprises: 

40 (a) means for analyzing the received user iden- 

tifier, in either a structured or unstructured for- 
mat, to determine whether ail the user identifier 
fields, or a User-Name alone, or the user do- 
main alone, or a combination thereof is taken 

45 for selection of an AAA-server in charge of this 

user; and 

(b) means for selecting an AAA-server in 
charge of said user In an internet Service Pro- 
50 vider (ISP) network. 

2. The User Selector Proxy in claim 1 , further compris- 
ing storage on individual user basis, or on group of 
users basis, or both, for storing at least one identifier 

55 for each at least one AAA-server in charge of a giv- 
en individual user or group of users. 

3. The User Selector Proxy in any of claims 1 or 2, 
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further comprising means for replacing any of the 
user identifierfields, or any combination thereof, by 
new ones on an individual user basis, or on group 
of users basis, or both, or on an AAA-server basis. 

4. The User Selector Proxy in any of claims 1 to 3, 
wherein the protocoi used for communication be- 
tween the User Selector Proxy and the AAA-ciient 
is RADIUS. 

5. The User Selector Proxy in any of claims 1 to 3, 
wherein the protocol used for communication be- 
tween the User Selector Proxy and the AAA-client 
is DIAMETER. 

6. The use of the User Selector Proxy in any preceding 
claim as an Authentication, Authorization, and Ac- 
counting proxy (AAA-proxy). 

7. A system comprising a telecommunications net- 20 
worl< coupled to an Internet Service Provider (ISP) 
network wherein the AAA-proxy in claim 6 is the en- 
try point to said ISP network. 

8. The system In claim 7, wherein the telecommunica- 25 
tion network is coupled to the Internet Service Pro- 
vider (ISP) network via a Network Access Server 
(NAS), the NAS thus Inter-worklng with the AAA- 
proxy 

30 

9. A method for providing Authentication, Authoriza- 
tion, and Accounting (AAA-) services in a telecom- 
munication network coupled lo an Internet Service 
Provider (ISP), the method comprising the steps of: 

35 

(a) receiving an AAA-service request at an 
AAA-proxy from an AAA-client; 
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prises the steps of: 

(c1) analyzing the received user identifier, in ei- 
ther a structured or unstructured format, to de- 
termine whether all the user identifierfields, or 
a User-Name alone, or the user domain alone, 
or any combination thereof is taken for selec- 
tion of an AAA-server in charge of this user; and 

(c2) selecting at least one AAA-server in charge 
of said user in an Internet Service Provider 
(ISP) network. 

10. The method in claim 9, comprising a previous step 
of storing at the AAA-proxy on individual user basis, 
or on group of users basis, or both, at least one iden- 
tifier for each at least one AAA-server in charge of 
a given individual user or group of users. 

11. The method in any of claims 9 or 10, further com- 
prising the step of replacing at the AAA-proxy any 
of the user identifier fields, or any combination 
thereof, by new ones on an individual user basis, or 
on group of users basis, or both, or on an AAA-serv- 
er basis. 

12. The method in any of claims 9 to 11, wherein the 
protocol usedfor communication between the AAA- 
proxy and the AAA-client is RADIUS. 

13. The method in any of claims 9 to 11, wherein the 
protocol used for communication between the AAA- 
proxy and the AAA-client is DIAMETER. 

14. The method in any of claims 9 to 13 wherein the 
User Selector Proxy in claim 6 is the entry point to 
the Internet Service Provider (ISP) network. 

15. The method in any of claims 9 to 14 wherein an 
available AAA-server is selected from a plurality of 
AAA-servers in charge of a user in accordance with 
availability status or other selection criteria. 

16. The method in any of claims 9 to 15 wherein a AAA- 
service request is refused or discarded when no 
AAA-server can be selected at the step c2) of se- 
lecting at least one AAA-server in charge of a user 
or group of users. 



(b) extracting a user domain from a received us- 
er identifier included in the AAA-service re- *o 

quest; 

(c) identifying at said AAA-proxy the AAA-serv- 
er in charge of said user In said Internet Service 
Provider (ISP) network; 45 

(d) submitting the AAA-service request from the 
AAA-proxy to said AAA-server; 

(e) receiving the corresponding AAA-service so 

response at the AAA-proxy from said AAA- 
server; and 

(f) returning the AAA-service response from the 
AAA-proxy to the AAA-client having issued the 55 
request, 

the method characterized in that the step c) com- 
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User Selector Proxy disposition table 


User 

Identifier 


Group 


New User- 
Name 


Kew 
Realm 


AAA-server 
Identifier 


User-l@Realm. 1 


Gr-1 


User-A 


None 




User~2@R6slin. 1 


Gr-2 








User-l@Realin. 2 








AAA-sl AAA-s3 


User-2@Realm. 2 










User-3@Realm. 2 


Gr-2 


Dser-5 


Realm-5 




User-l@Realm.3 


None 


None 


None 


AAA-sl 


User-2@Realm.3 


None 


nser-5 


None 


AAA-S2 


123456XXXXXX 


None 


None 


Realm-6 


AAA-S4, AAA-S3 


456xxxxxxx 


None 


123456 


None 


AAA-S2, AAA-sl 


9.8.7@Realm.3 


Gr-1 


None 


Realm-6 




Gr-1 


None 


None 


Realm-5 


AAA-S3, AAA-S4 


Gr-2 


None 


None 


None 


A3^-sl 
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Traditional AAA-Proxy routing table 

User domain AAA-server Identifier 

Realm. 1 (abc.com) AAA-aerver-1 



Realm. 2 (def.com) AAA-server-2 



Realm, 3 (ghi.com) RAA-server-3 



chelated ort 
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